Posted on 08/03/2010 7:15:27 AM PDT by PugetSoundSoldier
At least this website - in addition to jailbreaking your phone - patches the hole in Safari...
iPhone rooted by just visiting a website ping!
I think this qualifies as an “OH SH*T” type of security hole, and it’s been known for quite a while. Who knows what’s been done to iPhones over the last few years when visiting compromised websites. This one does good (jailbreaks AND patches the exploit), but other ones? You’d never know, because if you get malicious code at the root level you can completely cover your tracks...
I have worked in security for over 20 years. I have only seen one device that a remote root level hack has not been able to compromise and cover their tracks - tThe old syslog printer.
Of course, it required someone to actually READ the logs ... but that is another story.
But how do you know it doesn’t also turn your iPhone into a sleeping zombie node of a botnet?
I have a 3Gs with OS4. What it the point of jail breaking your phone? Does it unlock some other features or something? If I do not like what it does, can it be reversed without damaging my phone?
I think it’s usually done so you can use the phone with other networks.
There is a whole secondary ‘app store’ that is added when you jailbreak. From there, you can install all kinds of apps that Apple won’t allow or do things with the phone that aren’t generally sanctioned by Apple. There’s an app, so you don’t have to pay AT&T’s extortion fee to tether. (MyFi) There’s another (Intelliscreen) that offers lots of information on your lock screen in addition to nagging alerts which are a feature that is inexplicably missing from the iPhone. You get full control over the operating system and can install many Unix tools. You can even run an Apache server from your phone. You can also carrier unlock it and run the phone on T-Mobile if you want. There are thousands of ringtones, themes to modify the look of the phone, etc, as well.
You can run Facetime over 3G if you jailbreak (Though, I can’t imagine doing that with AT&T service, but then again I don’t get the whole Facetime thing anyway...). Jailbreakers had copy/paste, multitasking, etc, for years before Apple added them.
You also get the added bonus of patching this root vulnerability before someone else uses it for evil instead of good.
A jailbreak can be undone by putting the phone into recovery mode and restoring via itunes.
Great answer!
Thanks for the info!
Yeah, but:
3. Slide to Jailbreak.Reminds me of:
"This is the Amish Virus. We don't have computers, so this virus works on the honor system. Please mail this to all your friends and co-workers, then please delete all the files on your hard drive. Thank you! Sincerely, the Amish Virus Team."Anything can be done with a cooperative operator. Lack of operator common sense is beyond the reach of even the best security design.
Note that the developer of that site purposefully placed that functionality on the website; the code waits until someone slides to execute. It could auto-execute the second you visit the website. The “slide to unlock” is simply a step added so that anyone who visits the site must explicitly “agree” to the jailbreaking by taking a singular step.
Remember, the scripts are already launched and on the device by the time the “slide to unlock” is shown. All the malicious code exists client side, there’s nothing to stop the scripts from executing other than the way the HTML was constructed.
Basically, this proves that simply visiting a website can compromise your iOS device. It’s been rumored to exist for a year or more, but never really identified, until now. Perhaps it’s because infections/malicious code that’s been exploiting this hole can clean up after itself since it’s running at root. Thus who knows how many devices were actually rooted, sifted, and then patched back up?
Perhaps this is also the source of all the “hey I didn’t order $999 worth of apps!” stories that have occurred over the last few years. What a creative way to sell a bunch of apps: create a website that will root an iPhone, get the app store account info from the phone, then clean yourself up. BINGO - now you have the ability to use another person’s app store information without them knowing, or even doing something wrong; they just visit your attack website and the damage is done.
Then one should expect Apple to patch this vulnerability more or less immediately, which will break the jailbroken phones, so everybody will bitch about that, too, right?
My take on the bitching: Too freakin' bad, boo hoo. Apple should fix this hole posthaste, and if it bricks a bunch of phones, that's a damn shame. Whether or not the Librarian of Congress says that jailbreaking is legal, Apple has no responsibility to support (i.e. not brick) the jailbroken phones, since that clearly voids the warranty.
If I were Apple I'd be pretty pissed off about now, and itching to correct the flaw that allowed this hack.
If you have a jailbroken phone, you should have enough savvy to avoid doing any Apple updates until you know how it will effect your phone.
If you do want to go back to a non-jailbroken phone, it is a simple as doing a full restore. Then you can update to the newest firmware without any issues. I’ve done that in the past.
Non-tech people should stick to the default firmware and avoid playing with dodgy stuff.
Yep. This is a HUGE hole, allowing unrestricted code execution at root level. The kind of vulnerability that many here have claimed over and over can never happen on any Apple device. It's impossible, it's invulnerable, and anyone stating anything opposite was a liar and simply creating FUD.
And now we find that just visiting a website can compromise your entire iOS device at the root level.
Apple should have this hole closed today. Anything longer than that shows they really do NOT care about security. This is about the worst hole you could have in a MID (Mobile Internet Device).
Whether or not the Librarian of Congress says that jailbreaking is legal, Apple has no responsibility to support (i.e. not brick) the jailbroken phones, since that clearly voids the warranty.
I fully agree, and I don't think anyone is saying anything differently. The big change was that Apple can no longer come after you for jailbreaking your phone. But if you do, you're responsible for what happens.
If I were Apple I'd be pretty pissed off about now, and itching to correct the flaw that allowed this hack.
What's interesting - the hole exists in the PDF reader. The reader that APPLE wrote, since they deemed Adobe's reader as "too vulnerable" (and not so surprisingly, the Adobe Reader does not have this vulnerability). This is 100% on Apple's head, they created the hole, it's been distributed for at least 2.5 years, and there is NO WAY of knowing if it's ever been exploited, since any exploit can cover its tracks.
So much for the vaunted invulnerability of iOS!
Just tried this on my 3G and so far it is working as advertised. Now I can get MyWi back on the phone.
Good to hear! Seems that most people that visit the site have great success with it... I guess it’s a blessing in disguise that this arbitrary code execution hole exists.
No need to crow. :) I understand you’ve taken a lot of heat on the forum in the past about this, so a certain amount of “I told you so” is perhaps warranted. But let us move forward to encourage Apple to close this up pronto. No one benefits from -any- manufacturer having gaping holes lying around.
WOW. That is an amazing hack. And a real one too! Nice catch.
I looked at the code too, very well done. I expect it patched by morning, but, they did a very good trick. Using the PDF interpreter to load code through Safari.
Of course, this only lends MORE Credibility to Job’s resistance to Adobe’s Flash. Adobe invented PDF too.
61 lines of code. Very elegant actually.
This is the code for my version of the iPhone while I wait for my White 4.
-—— SAFE JUST A COPY ———
1.
%!PS-Adobe-3.0
2.
%%Pages: (atend)
3.
%%BoundingBox: 0 0 0 0
4.
%%HiResBoundingBox: 0.000000 0.000000 0.000000 0.000000
5.
%%Creator: GPL Ghostscript 871 (pswrite)
6.
%%CreationDate: 2010/08/02 20:22:49
7.
%%DocumentData: Clean7Bit
8.
%%LanguageLevel: 2
9.
%%EndComments
10.
%%BeginProlog
11.
% This copyright applies to everything between here and the %%EndProlog:
12.
% Copyright (C) 2010 Artifex Software, Inc. All rights reserved.
13.
%%BeginResource: procset GS_pswrite_2_0_1001 1.001 0
14.
/GS_pswrite_2_0_1001 80 dict dup begin
15.
/PageSize 2 array def/setpagesize{ PageSize aload pop 3 index eq exch
16.
4 index eq and{ pop pop pop}{ PageSize dup 1
17.
5 -1 roll put 0 4 -1 roll put dup null eq {false} {dup where} ifelse{ exch get exec}
18.
{ pop/setpagedevice where
19.
{ pop 1 dict dup /PageSize PageSize put setpagedevice}
20.
{ /setpage where{ pop PageSize aload pop pageparams 3 {exch pop} repeat
21.
setpage}if}ifelse}ifelse}ifelse} bind def
22.
/!{bind def}bind def/#{load def}!/N/counttomark #
23.
/rG{3{3 -1 roll 255 div}repeat setrgbcolor}!/G{255 div setgray}!/K{0 G}!
24.
/r6{dup 3 -1 roll rG}!/r5{dup 3 1 roll rG}!/r3{dup rG}!
25.
/w/setlinewidth #/J/setlinecap #
26.
/j/setlinejoin #/M/setmiterlimit #/d/setdash #/i/setflat #
27.
/m/moveto #/l/lineto #/c/rcurveto #
28.
/p{N 2 idiv{N -2 roll rlineto}repeat}!
29.
/P{N 0 gt{N -2 roll moveto p}if}!
30.
/h{p closepath}!/H{P closepath}!
31.
/lx{0 rlineto}!/ly{0 exch rlineto}!/v{0 0 6 2 roll c}!/y{2 copy c}!
32.
/re{4 -2 roll m exch dup lx exch ly neg lx h}!
33.
/^{3 index neg 3 index neg}!
34.
/f{P fill}!/f*{P eofill}!/s{H stroke}!/S{P stroke}!
35.
/q/gsave #/Q/grestore #/rf{re fill}!
36.
/Y{P clip newpath}!/Y*{P eoclip newpath}!/rY{re Y}!
37.
/|={pop exch 4 1 roll 1 array astore cvx 3 array astore cvx exch 1 index def exec}!
38.
/|{exch string readstring |=}!
39.
/+{dup type/nametype eq{2 index 7 add -3 bitshift 2 index mul}if}!
40.
/@/currentfile #/${+ @ |}!
41.
/B{{2 copy string{readstring pop}aload pop 4 array astore cvx
42.
3 1 roll}repeat pop pop true}!
43.
/Ix{[1 0 0 1 11 -2 roll exch neg exch neg]exch}!
44.
/,{true exch Ix imagemask}!/If{false exch Ix imagemask}!/I{exch Ix image}!
45.
/Ic{exch Ix false 3 colorimage}!
46.
/F{/Columns counttomark 3 add -2 roll/Rows exch/K -1/BlackIs1 true>>
47.
/CCITTFaxDecode filter}!/FX{<</EndOfBlock false F}!
48.
/X{/ASCII85Decode filter}!/@X{@ X}!/&2{2 index 2 index}!
49.
/@F{@ &2<<F}!/@C{@X &2 FX}!
50.
/$X{+ @X |}!/&4{4 index 4 index}!/$F{+ @ &4<<F |}!/$C{+ @X &4 FX |}!
51.
/IC{3 1 roll 10 dict begin 1{/ImageType/Interpolate/Decode/DataSource
52.
/ImageMatrix/BitsPerComponent/Height/Width}{exch def}forall
53.
currentdict end image}!
54.
/~{@ read {pop} if}!
55.
end def
56.
%%EndResource
57.
/pagesave null def
58.
%%EndProlog
59.
%%Trailer
60.
%%Pages: 0
61.
%%EOF
Rachel, you should know that the PDF Viewer in iOS was 100% written by Apple - Adobe had nothing to do with other than being the source of the file specification.
This hole does NOT exist in Adobe's reader - only the one that Apple created. This is Apple's - and Apple's alone - major security hole.
You can now apologize for calling me a liar and much worse when I said there were holes in iOS. Including one that gives a website 100% unrestricted root access to an iPhone, but just browsing to that site.
I’d just like to have one of those who called me nearly every name in the book actually admit I was correct, and apologize for their behavior.
I have a feeling I’ll be waiting forever, though... We already see the line is “it’s Adobe’s fault” when in fact it’s nothing to do with Adobe, but Apple and Apple alone.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.